python-pkcs11 icon indicating copy to clipboard operation
python-pkcs11 copied to clipboard
verified publisher icon pyauth

C_Login can fail with CKR_USER_ALREADY_LOGGED_IN

Open wjmelements opened this issue 6 years ago • 3 comments

This happens fairly reliably if, within a loop that looks like this:

while True:
  try:
    with pkcs11lib.get_token(/**/).open(/**/) as session:
      key = session.get_key(/**/)
      while True:
        key.sign(/**/)
  except Exception:
    pass

you put the client (Mac in my case) computer to sleep while running an Amphetamine session or equivalent.

I don't think this is a common issue but when it does happen it may be good to workaround the issue gracefully.

wjmelements avatar Jun 25 '19 01:06 wjmelements

In this case I think you're going to have to take care of it. We can't control how sessions to the HSM device are handled, since they're all handled separately.

danni avatar Jun 25 '19 03:06 danni

Can you be sure that C_Logout is not called here?

inorton avatar Oct 08 '19 16:10 inorton

I think the problem is you can't guarantee your connection to the HSM is still valid by the time you call C_Logout. Or whether the HSM library reset your connection in the meantime. It depends a lot on the setup of your HSM and I don't know how we'd handle it.

If your app can got to sleep, I would avoid holding long term sessions. From a pure security POV, if your app goes to sleep, you probably don't want to maintain a session to the HSM? Someone could have walked off with your laptop!

danni avatar Oct 09 '19 00:10 danni